North Korea Crypto Scam Grows: Fake IT Workers Target Firms

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Song Kum Hyok from North Korea, Russian national Gayk Astaryan, and four entities tied to a North Korean-operated scheme involving fake IT workers.

According to an official statement from the department, Song is identified as a malicious cyber actor linked to the Democratic People’s Republic of Korea’s (DPRK) Reconnaissance General Bureau (RGB) hacking group known as Andraiel. 

Song is alleged to have orchestrated a scheme involving information technology (IT) workers recruited to obtain employment at American companies with the purpose of generating revenue to support the DPRK. These fake IT workers, primarily nationals operating from countries such as China and Russia, were provided with fabricated identities and false nationalities. The companies that employed them were reportedly unaware of the fraudulent documentation.

Song is alleged to have used the personal information of U.S. individuals—including names, Social Security numbers, and addresses—to fabricate identities for the foreign IT workers he employed.

OFAC reported that, in certain instances, these fakeIT workers deployed malware within company networks to facilitate further exploitation.

Furthermore, Asatryan utilized his Russia-based businesses to employ North Korean IT personnel. In mid-2024, he reportedly entered into a ten-year contract with the DPRK entity Korea Songkwang Trading General Corporation (Songkwang Trading). Under this agreement, 30 North Korean IT workers were assigned to operate in Russia for Asatryan’s company, Asatryan Limited Liability Company (Asatryan LLC).

The Russian national also entered into an agreement with the DPRK firm Korea Saenal Trading Corporation (Saenal Trading) to deploy 50 North Korean IT workers to Russia to support operations at his company, Fortuna Limited Liability Company (Fortuna LLC).

“Today’s action underscores the importance of vigilance on the DPRK’s continued efforts to clandestinely fund its WMD and ballistic missile programs,” Deputy Secretary of the Treasury Michael Faulkender stated. “[The] Treasury remains committed to using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber-attacks,” he added. 

Fake IT Workers Highlight Urgent Need for Stronger Web3 Defenses

The recent findings emphasize the evolving nature of cyber threats facing both traditional and decentralized systems. As North Korean-linked actors shift from direct cyberattacks to covert infiltration tactics, the need for rigorous identity verification, operational transparency, and robust network security becomes increasingly critical.

For the Shiba Inu ecosystem — particularly Shibarium, which continues to expand its bridge infrastructure and explore advanced privacy tools — these newly revealed tactics serve as a timely reminder: trust must be built and protected at every layer. As Shibarium welcomes more developers, partners, and users, implementing strong safeguards against infiltration and manipulation will be key to protecting SHIB holders and maintaining long-term community confidence.

Read More

• North Korean Threat Actors Use NimDoor Malware to Target Apple Devices
• North Korea’s Lazarus Group Linked to New $3.2M Crypto Heist
• North Korea’s Lazarus Group Targets Crypto Developers with Malware

Michaela has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Magazine and The Shib Daily are the official media and publications of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.